Merge pull request #20 from AAU-Dat/corrections2

Corrections2

Author: ironmand123

report/src/bib/main.bib

@@ -160,12 +160,20 @@ @article{Feistle
 }
 
 @article{safrole,
-    title        = {-safrole},
+    title        = {Safrole},
     author       = {Polkadot Web3 Foundation},
     note         = {Accessed: 16-05-2025},
     url = {https://wiki.polkadot.network/learn/learn-safrole/}
 }
 
+@article{sassafras,
+    title        = {Sassafras},
+    author       = {Polkadot Web3 Foundation},
+    note         = {Accessed: 23-05-2025},
+    url = {https://research.web3.foundation/Polkadot/protocols/block-production/SASSAFRAS}
+}
+
+
 @inproceedings{10.1145/501983.502000,
     author = {Neff, C. Andrew},
     title = {A verifiable secret shuffle and its application to e-voting},
@@ -182,4 +190,12 @@ @inproceedings{10.1145/501983.502000
     keywords = {zeroknowledge, verifiable shuffle, verifiable mix, universal verifiability, permutation, mix-net, honest-verifier, electronic voting, anonymous credentials},
     location = {Philadelphia, PA, USA},
     series = {CCS '01}
-}
+}
+
+@misc{cryptoeprint:2023/1241,
+    author = {Dan Boneh and Aditi Partap and Lior Rotem},
+    title = {Post-Quantum Single Secret Leader Election ({SSLE}) From Publicly Re-randomizable Commitments},
+    howpublished = {Cryptology {ePrint} Archive, Paper 2023/1241},
+    year = {2023},
+    url = {https://eprint.iacr.org/2023/1241}
+}

report/src/main.tex

@@ -16,8 +16,8 @@
     \maketitle
     \input{sections/00-abstract}
     \input{sections/01-introduction}
-    \input{sections/03-background}
-    \input{sections/02-related-work}
+    \input{sections/02-background}
+    \input{sections/03-related-work}
     \input{sections/04-approach}
     \input{sections/05-experimental-protocol}
     \input{sections/06-results}

report/src/sections/03-background.tex renamed to report/src/sections/02-background.tex

@@ -1,6 +1,5 @@
-
 \section{Background}\label{sec:background}
-In this section, we provide the necessary background information on the Curdleproofs protocol~\cite{Curdleproofs}, the Whisk protocol~\cite{Whisk2024} and an overview of the notation used in the paper.
+In this section, we provide the necessary background information on Ethereum and a specific attack it is vulnerable to, the Curdleproofs protocol~\cite{Curdleproofs}, and the Whisk protocol~\cite{Whisk2024}
 
 The notation used throughout this paper can be seen in~\autoref{tab:notation}.
 \begin{table*}[!htb]
@@ -56,35 +55,31 @@ \section{Background}\label{sec:background}
 
 Since this work is based on the existing Curdleproofs protocol~\cite{Curdleproofs}, it inherits the same security assumptions.
 Our work therefore runs as a public coin protocol in any cryptographic group where~\gls{ddh} is hard~\cite{10.1007/BFb0054851}.
+\gls{ddh} is defined as follows.
 
 \begin{definition}[DDH]
  Given a finite, multiplicative cyclic group $\mathbb{G}$ of prime order $p$, the decisional Diffie-Hellman problem is defined as follows: Given $(g^a,g^b,g^c)\in\mathbb{G}$, where $g$ is a generator of $\mathbb{G}$ and $a,b,c\in\mathbb{Z}_p$, decide whether $c=ab$.
 \end{definition}
 
 \subsection{Whisk}\label{subsec:related-work-whisk}
-
-\paragraph*{\textbf{Ethereum Proof of Stake}}\label{par:background-ethereum}
 Ethereum uses a proof-of-stake consensus mechanism, which allows users to validate transactions and create new blocks by staking their Ether (ETH) tokens.
 The Proof-of stake protocol works in epochs of 32 slots, where each slot is 12 seconds long.
 In each slot a proposer is chosen to propose a block thereby allowing the network to reach consensus on the state of the blockchain.
 
-\paragraph*{\textbf{Proposer DoS attack}}\label{sec:background-proposer-DoS-attacks}
 The proposer DoS attack is a type of attack that targets the block proposers making them unable to propose blocks.
-An adversary can use the proposer DoS attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their oen rewards~\cite{EthereumSSLE2024}.
+An adversary can use the proposer DoS attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their own rewards~\cite{EthereumSSLE2024}.
 As a response to the proposer DoS attack, Ethereum has proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack.
 An attack on the Ethereum network that was discovered by Heimbach et al.~\cite{heimbach2024deanonymizingethereumvalidatorsp2p} is the deanonymization attack on validators.
-In our preliminary work~\cite{ouroldpaper}, we have shown that the attack still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed.
+In our preliminary work~\cite{ouroldpaper}, we have shown that the attack is still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed.
 
 
-\paragraph*{\textbf{The Whisk protocol}}\label{sec:background-mitigation}
 Whisk is a zero-knowledge Single Secret Leader Election (SSLE) system that uses a zero-knowledge argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle without revealing the input or output~\cite{10.1145/3419614.3423258}.
-Whisk works by selecting a list of proposers 16384 and shuffling them over 8192 slots (1 day).
-Then 8192 proposers are selected from the shuffled list to propose blocks for the next 8192 slots while a new list is being shuffled.
+Whisk works by selecting a list of 16,384 validator trackers and shuffles them over 8,192 slots ($\sim$1 day).
+Then 8,192 proposers are selected from the shuffled list to propose blocks for the next 8,192 slots while a new list is being shuffled.
 This way a new list of proposers is created every day.
-After each shuffle Whisk uses a zero-knowledge proof to prove that the shuffle is correct.
+After each shuffle, Whisk uses a zero-knowledge proof to prove that the shuffle is correct.
 This is so that the proposer can prove that they are the correct proposer for the slot without revealing their identity, thereby mitigating the proposer~\gls{dos} attack because of the identity of the upcoming proposers being hidden now.
 
-\paragraph*{\textbf{Curdleproofs}}\label{sec:background-curdleproofs}
 Curdleproofs is a zero-knowledge proof system that allows a prover to prove knowledge of a shuffle without revealing how it shuffled the elements.
 It does so by using three different zero-knowledge proofs, with one of them relying on two more zero-knowledge proofs.
 
@@ -93,9 +88,9 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 Then, using the Fiat-Shamir transformation, a challenge, $\mathbf{a}$, from public inputs is constructed, and a new commitment is made from that, $A=\sigma(\mathbf{a})\times\mathbf{g}$.
 The~\gls{sameperm} proof now consists of convincing the verifier that the same permutation was used for constructing commitment $A$ and $M$.
 To do this, the two commitments are used to construct a polynomial equation.
-Then Neff's trick~\cite{10.1145/501983.502000}, which observes that two polynomials are equal iff.\ their roots are the same up to permutation.
+Then Neff's trick~\cite{10.1145/501983.502000} is used, which observes that two polynomials are equal iff.\ their roots are the same up to permutation.
 
-This is proven through a grand product argument.
+To prove that, the protocol makes use of a grand product argument.
 To prove that argument, Curdleproofs compiles it down to an~\gls{ipa} by expressing each multiplication of the grand product as its own equation.
 
 Hence, the~\gls{sameperm} proof is done if the prover can prove the~\gls{ipa}.
@@ -116,9 +111,19 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 
 \subsection{Zero-knowledge proofs}\label{sec:background-zkps}
 Curdleproofs is a zero-knowledge proof system, which means that it allows a prover to convince a verifier that they know a secret without revealing the secret itself.
-within the context of Ethereum it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
+Within the context of Ethereum it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
+In Whisk, it uses Curdleproofs to prove the validity of a shuffle.
 
 \begin{definition}[Zero-Knowledge Argument of Knowledge]
     An argument $(Setup, P, V)$ is a zero-knowledge argument of knowledge of a relation $\mathbb{R}$ if it satisfies completeness, knowledge-soundness and is honest-verifier zero-knowledge.
 \end{definition}
 
+Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in~\autoref{sec:appendix}.
+
+\subsection{Problem definition}\label{subsec:problem-definition}
+In Chapter 6 of Curdleproofs~\cite{Curdleproofs}, they explain the efficiency of the protocol, including also the size of the proof.
+They specifically mention that the proof has size $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
+As the proof size is dependent on the size of the shuffle, $\ell$, an interest in the possibility of reducing this parameter arises.
+The current proposal of curdleproofs only works on shuffles, where the size is a power of 2.
+The reason is that the underlying proofs, such as the~\gls{ipa}, needs to fold recursively down to 1, by halving the size in every round.
+

report/src/sections/02-related-work.tex

@@ -0,0 +1,56 @@
+\section{Related Work}\label{sec:related-work}
+
+
+
+
+\subsection{Single Secret Leader Election}\label{sec:related-work-SSLE}
+A~\gls{ssle} is a protocol where a group of participants randomly elects only one leader from the group.
+The identity of the leader is kept secret from all other participants so only the leader themselves know that they have been chosen.
+The elected leader can then later publicly prove that they have been elected~\cite{10.1145/3419614.3423258}.
+
+Leading research on~\gls{ssle} includes proposals for post-quantum secure protocols based on Learning With Errors and Ring Learning With Errors~\cite{cryptoeprint:2023/1241}.
+This work also constructs a new concept called~\gls{rrc} for easier work with such protocols.
+\gls{rrc} is based on the commit-and-shuffle approach also used in Whisk.
+
+One of the use cases of~\gls{ssle} is to make~\gls{pos} blockchains more secure due to the added privacy that the proposer has.
+
+One~\gls{pos} blockchain that uses an~\gls{ssle} is Polkadot which uses Safrole as their~\gls{ssle} protocol~\cite{safrole}.
+Safrole is the production version of the research protocol Sassafras~\cite{sassafras}.
+In this, validators each produce a number of tickets, some of which are winning, depending on some threshold.
+A~\gls{zk-snark} is then used to prove that a ticket is winning, after which the winning tickets are published to the chain.
+A randomization algorithm will then pick, from all the winning tickets, proposers for all the slots two epochs later.
+
+
+
+\subsection{Shuffling algorithms}\label{subsec:related-work-shuffling-algorithm}
+
+The Håstad square shuffle~\cite{haastad2006square} is one of the proposed ways of shuffling, which could be integrated in a shuffling~\gls{ssle} such as Whisk.
+The Håstad square shuffle is a shuffling algorithm that shuffles a vector with $n$ items with a shuffle size of $\sqrt {n}$.
+The algorithm works by re-arranging the vector into a~$\sqrt{n}\times\sqrt{n}$ square matrix.
+It then works in time steps, starting at 1.
+For each odd step, each column and its elements are shuffled independently.
+For each even step, each row and its elements are shuffled independently as well.
+Håstad shows that at least three time steps are needed for the shuffle to be secure.
+The Håstad shuffle is more rigid than the shuffling algorithm used in curdleproofs~\cite{cryptoeprint:2022/560} because of the fixed size of the shuffle being $\sqrt{n}$.
+
+The Feistel shuffle~\cite{Feistle} is a previously used shuffle method in the Whisk protocol~\cite{Whisk2024}.
+It takes $n$ number of validator trackers and arranges them in a $k\times k$ matrix.
+Each round the $i$-th proposer selects the $i$-th row of the created matrix and shuffles it in the form $F(x,y)=(y,x+y^3\text{ mod }k)$.
+The Feistel shuffle was later replaced by the shuffle proposed by Larsen et al.~\cite{cryptoeprint:2022/560}.
+Ethereum mentioned the reason for this to be that the shuffle by Larsen et al.\ provides a simpler protocol~\cite{Whisk2024}.
+
+\subsection{Bulletproofs}\label{subsec:related-work-bulletproofs}
+A big inspiration for the Curdleproofs protocol is bulletproofs~\cite{bunz2018bulletproofs}.
+Bulletproofs is a type of range proof that uses inner product arguments to prove that a committed value is within a certain range without revealing the value itself.
+Bulletproofs is in itself not a zero-knowledge proof system, but with the help of Fiat Shamir~\cite{bunz2018bulletproofs} it can be used to create a zero-knowledge proof.
+Bulletproofs also has had a few iterations and improvements to increase the speed and reduce the size of the proof since it was used in curdleproofs.
+
+One of these is Bulletproofs+~\cite{chung2022bulletproofs+} which uses a weighted inner product argument instead of the standard inner product argument to achieve a better performance.
+Bulletproofs+ is also a zero-knowledge proof by itself unlike the original bulletproofs.
+Trying to modify Curdleproofs with the weighted inner product argument introduces complications that would need larger modifications and is therefore not suitable.
+This can be seen in~\autoref{sec:curdleproofs-weighted-inner-product-argument-modification-attempt}
+
+A third version of the Bulletproofs protocol is Bulletproofs++~\cite{eagen2024bulletproofs++} which uses a new type of argument called the norm argument to achieve a better performance.
+This comes from the prover only needing to commit to a single vector, rather than two.
+Therefore, with the two vectors, $x$ and $y$ of a standard~\gls{ipa}, they need to assume $x=y$ for their protocol to work.
+Then, along with the norm being weighted, which raises the same complications as with Bulletproofs+, this makes it unsuitable for Curdleproofs.